Splunk Search

How to exclude users from service account values: a generic approach?

AL3Z
Builder

Hi,

I'm attempting to create a method to exclude users from service account values without excluding a particular service account. Is there a generic approach we can use to identify and exclude both existing and future service accounts?
How we could write the search for this use case.

Thanks..

Labels (4)
0 Karma

AL3Z
Builder

@richgalloway @PickleRick ,

What I need here is like in the event there is a OU=Service IDs ,OU=users,OU=computers exclude all the src_user from the OU=Service IDs only.

Thanks 



0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help to have a more defined set of requirements as well sample input and output, but perhaps this will help.

<<your search>>
| where NOT (OU="Service IDs" AND [ | inputlookup mylookup.csv | fields src_user | rename src_user as sAMAccountName | format ]

Adjust the fields and rename commands as necessary to match your fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

@richgalloway ,

Why we need lookup  table over here . I don't think we need it .Just I want to exclude all the service accounts from the OU="Service IDs" from an event.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't *need* a lookup.  You can put an exclude list directly in the SPL, but that may end up being more difficult to maintain.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Apart from the redundant "4738" in the macro, this code looks like it should work.  How is it failing you?

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Debug the query by running the commands before the first | in a new query.  Verify the desired fields are present.  Add the commands up to the next | and verify the fields are still there.  Repeat the process until the fields disappear and you'll have found the source.  Post the details if you need help determining the cause.

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi , How we can xclude service account from this event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

0 Karma

AL3Z
Builder

Here OU is multi value field.

0 Karma

AL3Z
Builder

@richgalloway 

Any suggestions on this usecase

Thanks 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just use a lookup which lists all accounts to exclude.

0 Karma

AL3Z
Builder

Hi,

What if we get the future service accounts?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Update the lookup file as new service accounts are added or removed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi

Any idea 

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...